帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

U-boot FIT image verification failed when HAB is enabled

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

U-boot FIT image verification failed when HAB is enabled

‎11-28-2021 08:45 PM
1,606 次查看
robertliu
Contributor I

Hi,

I enabled the HAB (CONFIG_IMX_HAB) and FIT image verification in u-boot. It also has CAAM related options and "CONFIG_RSA_FREESCALE_EXP" enabled automatically. However,  u-boot failed to verify my signed FIT image. I also forced the FIT image verification to use "mod_exp_sw" and it worked well.

The error message was "fsl_mod_exp: RSA failed to verify: -1". It seems the error was happened in "drivers/crypto/fsl/jr.c: run_descriptor_jr_idx()" when it was calling "jr_dequeue()".

Is there anything I can verify the CAAM and fsl_rsa_mod are working on my device?

My environment:
- i.mx8m mini
- atf + op-tee enabled
- u-boot is the upstream v2021.07 version from the hardware vendor
- sha256 and rsa204 are used for FIT image signatures.

Thank you

标签 (1)
0 项奖励
回复
4 回复数

‎11-30-2021 12:08 AM
1,581 次查看
robertliu
Contributor I

Hi @Yuri 

The post you provided is not the same as my issue. U-boot did load the kernel FIT image successfully. The verification was failed in CAAM (fsl_mod_exp() of u-boot).

So I was wondering if it's possible to test CAAM in u-boot, or if there's any document showing how to access CAAM.

Thanks,

0 项奖励
回复

‎04-10-2024 05:05 AM
690 次查看
Bayou
Contributor I

Well, for anybody stumbling on this thread:

In U-Boot 2020.04 I had the problem the FIT image verification with iminfo was OK, but bootm did not find the signature. I do not want to use the HAB certificates, but instead only rely on FIT signature.

I've enabled CONFIG_SPL_RSA and CONFIG_RSA_SOFTWARE_EXP and patched lib/rsa/rsa-verify.c:rsa_verify_key to move back to software checking as such:

ret = rsa_mod_exp(mod_exp_dev, sig, sig_len, prop, buf);
printf("%s: error rsa_mod_exp\n", __func__);
if (ret) {
        printf("%s: attempting rsa_mod_exp_sw instead \n", __func__);
        ret = rsa_mod_exp_sw(sig, sig_len, prop, buf);
}

 

This seems to work.

0 项奖励
回复

‎12-22-2021 12:01 AM
1,536 次查看
Yuri
NXP Employee
NXP Employee

@robertliu 
Hello,

   I am afraid we do not have special CAAM tests in U-boot.

Regards,
Yuri.

 

0 项奖励
回复

‎11-29-2021 10:16 PM
1,593 次查看
Yuri
NXP Employee
NXP Employee

@robertliu 
Hello,

   the following may be helpful:

https://community.nxp.com/t5/i-MX-Processors/Is-there-a-way-to-sign-a-FIT-image-as-a-whole-for-HAB/m...

 

Regards,
Yuri.

 

0 项奖励
回复